1. Who we are
"KPMG," "we," "our," and "us" refers to the group of companies that constitute KPMG in Portugal which include KPMG & Associados – Sociedade de Revisores Oficiais de Contas, S.A., KPMG Advisory - Consultores de Gestão, S.A. and KPMG Portugal - S.G.P.S., S.A.
KPMG is an independent affiliated of KPMG International Limited ("KPMG International"), a private English company limited by guarantee. KPMG International provides no client services.
KPMG is the Responsible Entity or co-responsible for the collection and processing of your personal data, when deciding which data to collect, forms of processing and purpose of the data that is being processed.
Additionally, KPMG process personal data as a Processor Entity, on behalf and according to the instructions of other responsible entities, under the framework of our professional services.
2. Our commitment
If you are our client, prospective client, applicant, alumni, supplier, partner, or user of our websites or mobile apps, we recommend reading this document and the Terms and Conditions of our services.
KPMG promotes the protection of confidentiality and privacy of the information to us entrusted. As part of this core obligation, KPMG equally promotes the adequate protection and use of personal data (referred to as “personal data”, “personally identifiable information” or “IPIs”) collected through our websites.
3. What personal data do we collect and process
When you register or submit personal information to KPMG we will use this information in the manner outlined in this privacy statement. Your personal information is not used for other purposes, unless we obtain your permission, or unless otherwise required or permitted by law or professional standards.
Essentially, an item of personal data is any information, which, directly or in aggregation with other information, can identify a natural person.
The following table summarises the main categories of personal data we process:
|Personal data category||Examples|
|Identification and contacts||Name, ID number, VAT number, photo, signature, address, phone number or e-mail.|
|Biographical data||Birth date, gender, citizenship, place of birth, civil status, family composition, educational qualifications, professional experience, LinkedIn profile or criminal record.|
|Financial data||IBAN, income or real estate/ financial assets.|
|Relationship with KPMG||Information regarding the attendance to KPMG events or promoted by KPMG, or business interactions between Data subjects and KPMG.|
|Opinions and preferences||Preferences regarding the sending of invitations and KPMG publications, comments from beneficiaries in social networks where KPMG is present, or responses to surveys.|
|Contents||Information included in written communications between Data subjects and KPMG or surveillance images.|
|Use of websites and apps||Websites visited, or information on equipment used (for example, IP address, geographical localization, browser used).|
While responsible or co-responsible entity, KPMG will also process other personal data, including special categories of information (for example, health information) when performing public interest activities, namely in the rendering Audit/Assurance Services or other professional services.
KPMG collects the above-mentioned personal data through the following means of collection:
|Means of collection||Examples|
|Information provided by Data subjects||Data or contents provided directly by the Data subjects (i) in their interaction with KPMG professionals, (ii) in letters or e-mails sent to KPMG, (iii) in the definition of preferences regarding KPMG communications, (iv) in attending events, (v) in the submission of KPMG applications, or (vi) in the answer to surveys.|
|Data collected in social networks||Data regarding the interaction by Data subjects in KPMG social networks or in public profiles of beneficiaries in social networks (for example LinkedIn, curriculum vitae for online application to a KPMG job, we will use the information you provide to verify the job opportunities available at KPMG).|
|Data collected from third parties||Data collected by KPMG from its customers while rendering professional services or from other third parties (e.g. Banco de Portugal – BdP), public authorities, insurance companies).|
|Persistent cookies||Data regarding the use of sites and KPMG apps (e.g. visited websites; user preferences), collected through KPMG cookies or from third parties.|
4. Collection of personal information
— IP addresses
An IP address is a number assigned to your computer whenever you access the internet. It allows computers and servers to recognize and communicate with one another. IP addresses from which visitors appear to originate will be recorded for IT security and system diagnostic purposes. This information will also typically be used in an aggregate form to conduct website trend and performance analysis.
Cookies will typically be placed on your computer or on an internet-enabled device whenever you visit us online. This allows the site to remember your computer or device and serves a number of purposes.
On some of our websites, a notification banner will appear allowing you to manage your consent to collect cookies (cookie banner). Below is a summary of the categories of cookies collected on our websites, and how your consent may impact your experience of certain features as you navigate those websites:
Although most browsers automatically accept cookies, you can choose whether or not to accept cookies via the cookie consent banner or your browser's settings (often found in your browser's Tools or Preferences menu). If you wish to revoke your selection, you may do so by clearing your browser’s cookies, or by updating your preferences in the cookie banner.
Further information about managing cookies can be found in your browser's help file or through sites such as www.allaboutcookies.org.
Below is a list of the types of cookies used on our websites:
|Purpose||Description||Type & Expiry|
|Performance (i.e., User's Browser)||Our websites are built using common internet platforms. These have built-in cookies which help compatibility issues (e.g., to identify your browser type) and improve performance (e.g., quicker loading of content).||Session, deleted upon closing the browser, or persistent|
|Security Cookies||If you register for access to a restricted area, our cookies ensure that your device is logged for the duration of your visit. You will need your username and password to access the restricted areas.||Session, deleted upon closing the browser, or persistent|
|Site Preferences||Our cookies may also remember your site preferences (e.g., language) or seek to enhance your experience (e.g., by personalizing a greeting or content). This will apply to areas where you have registered specifically for access or create an account.||Session, deleted upon closing the browser, or persistent|
|Analytical||We use several third-party analytics tools to help us understand how site visitors use our web site. This allows us to improve the quality and content on kpmg.com for our visitors. The aggregated statistical data cover items such as total visits or page views, and referrers to our web sites. For further details on our use of Google Analytics, see below.||Persistent, but will delete automatically after two years if you no longer visit kpmg.pt|
|Social sharing||We use third party social media widgets or buttons to provide you with additional functionality to share content from our web pages to social media websites and e-mail. Use of these widgets or buttons may place a cookie on your device to make their service easier to use, ensure your interaction is displayed on our webpages (e.g. the social share count cache is updated) and log information about your activities across the Internet and on our websites. We encourage you to review each provider's privacy information before using any such service. For further details on our use of social media widgets and applications, see below.||Persistent, but will be deleted automatically after two years if you no longer visit kpmg.pt|
Other third-party tools and widgets will be used on our individual web pages from time to time to provide additional functionality. Depending on how you set your preferences in your browser and/or the cookie banner, use of these tools or widgets will typically place a cookie on your device to make their service easier to use, and ensure your interaction is displayed on our webpages properly.
Cookies by themselves do not tell us your e-mail address or otherwise identify you personally. In our analytical reports, we will obtain other identifiers including IP addresses, but this is for the purpose of identifying the number of unique visitors to our websites and geographic origin of visitor trends, and not to identify individual visitors.
— Google Analytics
KPMG uses Google Analytics and Adobe Analytics. More information about how Google Analytics is used by KPMG can be found here: http://www.google.com/analytics/learn/privacy.html
— Web Beacons
A web beacon is a small image file on a web page that can be used to collect certain information from your computer, such as an IP address, the time the content was viewed, a browser type, and the existence of cookies previously set by the same server. KPMG only uses web beacons in accordance with applicable laws.
KPMG or its service providers will use web beacons to track the effectiveness of third-party web sites that provide us with recruiting or marketing services or to gather aggregate visitor statistics and manage cookies.
You have the option to render some web beacons unusable by rejecting their associated cookies. The web beacon may still record an anonymous visit from your IP address, but cookie information will not be recorded.
In some of our newsletters and other communications, we will monitor recipient actions such as email open rates through embedded links within the messages. We collect this information to gauge user interest and to enhance future user experiences.
— Location-based tools
KPMG will collect and use the geographical location of your computer or mobile device. This location data is collected for the purpose of providing you with information regarding services which we believe may be of interest to you based on your geographic location, and to improve our location-based products and services.
— Social media widgets and applications
KPMG websites will typically include functionality to enable sharing via third party social media applications, such as the Facebook Like button and Twitter widget. These social media applications will collect and use information regarding your use of KPMG websites (see details on 'Social Sharing' cookies above). Any personal information that you provide via such social media applications will often be collected and used by other members of that social media application and such interactions are governed by the privacy policies of the companies that provide the application. We do not have control over, or responsibility for, those companies or their use of your information.
In addition, KPMG websites may host blogs, forums, crowd-sourcing and other applications or services (collectively "social media features"). The purpose of social media features is to facilitate the sharing of knowledge and content. Any personal information that you provide on any KPMG social media feature will typically be shared with other users of that social media feature (unless otherwise stated at the point of collection), over whom we often have limited or no control.
KPMG understands the importance of protecting children's privacy, especially in an online environment. In particular, our sites are not intentionally designed for or directed at children under the age of 13. It is our policy never to knowingly collect or maintain information about anyone under the age of 13, except as part of an engagement to provide professional services.
5. How we process personal data
The processing of data is an operation or set of operations performed over personal data, through automatic or manual means, including the collection, storage, usage, copy and transfer.
At KPMG we process personal data in a licit, loyal and transparent manner with specific purposes. The processing of additional secondary data will only be performed if (i) they are compatible with the authorized purposes and are communicated to Data subjects or (ii) if they are object of specific and explicit consent from the Data subjects. We may also process your personal data without your knowledge or consent in compliance with Data Protection Legislation where this is required or permitted by law.
The sections below describe the main purposes of processing in KPMG, in compliance with the respective legal grounds we have to use your personal information.
Performance of a contract
KPMG will process the necessary data for the signature, execution or management of contracts where the data subject is a party, or pre-contractual proceedings at request of the Data subjects:
|Purpose of the processing||Examples|
|Client and engagement acceptance||Client acceptance, client continuance, engagement acceptance, in compliance with the KPMG policies and legal and regulatory rules (e.g. independence rules).|
|Contracting||Preparation, evaluation and signature of contracts and confidentiality agreements regarding the products and services to be provided by KPMG.|
|Service rendering||Performance of the service as agreed with Data subjects.|
|Invoicing and collection||Issuance of invoices and management collection.|
|Service contracting and payment to suppliers||Evaluation of suppliers, contracting, renegotiation and termination of contracts with suppliers, evaluation of services rendered and payment to KPMG suppliers and service providers.|
Compliance with legal or regulatory obligations
KPMG will process the data required to comply with the several legal and regulatory obligations to which is subject to, including the Commercial Code, Civil Code, Tax legislation, OROC regulation, legal framework of CMVM´s audit supervision, law on the prevention of money laundering and terrorism financing, international auditing standard 230 (ISA 230) and the international quality control standard 1 (ISQC 1):
|Purpose of the processing||Examples|
|Reporting of information and reply to requests from regulators and public authorities||Reporting of mandatory information and reply to several requests from regulators (e.g. CMVM, OROC) and public authorities (e.g. BdP, Courts, Portuguese Tax Authorities – AGT).|
|Prevention of money laundering crimes and terrorism financing||Monitoring of lists of persons and entities subject to commercial or financial sanctions, or identification and reporting of suspicious operations.|
|Accounting and Financial Reporting||Accounting record and preparation and disclosure of KPMG financial statements and of the transparency report.|
|File management||Collection, classification and storage of physical and electronic documents with personal data in the file management, which constitute mandatory evidence within KPMG activity.|
KPMG will process the data required when performing public interest activities, namely the provision of Audit/Assurance services, taking in consideration the specific characteristics of the client, the international standards of auditing (ISA) and KPMG´s auditing methodology.
KPMG will process information about you where it is in our legitimate interest in running a lawful business to do so in order to further that business, so long as it does not outweigh your interests:
|Purpose of the processing||Description|
|Accounts and contact management||Segmentation of clients, pipeline and client contacts management, prospective clients, partners and suppliers.|
|Preparation of proposals||Preparation and submission of proposals to clients or prospective clients.|
|Direct Marketing||Sending communications (e-mails) to clients, prospective clients and alumni related to the promotion of events, disclosures of technical publications and service/products promotion.|
|Events management||Planning and organization of events, either by KPMG or supported by KPMG.|
|Quality control||Quality control of services provided by KPMG to its clients, in accordance with international standards on auditing, guidelines from OROC and KPMG’s international policies.|
|Management control||Preparation of KPMG’s management control information.|
|Litigation management||Exercise of contractual or legal and defence rights in case of emerging judicial or extra-judicial litigations.|
|Reporting to KPMG International||Preparation of several reports to KPMG International, in accordance with the obligations associated to KPMG license.|
|Internal Audit||Collection and data analysis within the framework of KPMG’s internal audit processes and operations.|
|Management and security of information systems and facilities||Processes of management and monitoring of information systems and technological infrastructures, recording of access and usage of systems, processes of detection, analysis and response to potential data breaches, identity control and accesses to KPMG’s information systems, or physical accesses control to facilities.|
|Video surveillance||Video surveillance of KPMG’s physical facilities.|
|Evaluation of customer satisfaction||Evaluation of customer satisfaction through interviews or specific questionnaires.|
Consent from the Data subjects
In some cases, KPMG will ask you for specific permission to process some of your personal information, and we will only process your personal information in this way if you agree to us doing so. You may withdraw your consent at any time by contacting KPMG at email@example.com.
|Purpose of the processing||Examples|
|Market research||Collection and personal data analysis within studies or market analysis.|
|Customize the experience in websites||Use of persistent cookies for activity registration and user preferences in KPMG sites.|
6. What are the retention and personal data processing periods?
KPMG retains and processes data information through the necessary period of time and as long as the legitimate purposes for which the data is processed subsists, in order to comply with contractual, legal and regulatory obligations, or for protection of the legitimate interests of KPMG:
|Purpose of retention||Retention period|
|Legal, tax or regulatory obligation, or contract compliance||10 years after the end of the contract or document date, wherever applicable. KPMG will retain the personal data for higher periods based on legitimate interest, namely KPMG´s defence in judicial proceedings.|
|Retention of video surveillance||30 days.|
|Maintenance of client or prospective client's preferences||Indefinite, namely for information regarding the beneficiary's preferences in relation to the communication of events or sharing of KPMG publications.|
7. What are your rights as data subjects
KPMG ensures the exercise of the rights of data subjects regarding their treatment. If KPMG processes personal information about you, you have the following rights:
|Rights of the Subject||Description|
|Access||Data subjects have the right to access their personal data that have provided to KPMG or that result from the use of KPMG services, as well as to their conditions for treatment.|
|Correction||Data subjects have the right to request inaccurate or incomplete information to be corrected (e.g. address, e-mail address, and telephone contacts.)|
|Objection or withdrawal of consent||Data subjects have the right to oppose to date processing based on the legitimate interest of KPMG or to withdraw their consent for data processing based on consent.|
|Right to be forgotten||Data subjects have the right to request for the erasure of their personal data held by KPMG, provided that there are no valid grounds for their retention (e.g. compliance with a legal requirement, KPMG's defence in a judicial proceedings).|
|Limitation||Data subjects have the right to request for the limitation of data processing, in particular where they have contested the accuracy of personal data or objected to the processing and during the assessment period of the request from KPMG.|
|Portability||Customers have the right to receive the personal data they have provided to KPMG or that result from the use of KPMG services.|
|Not being subject to exclusively automated decisions||Customers have the right to request human intervention or to challenge decisions based on fully automated personal data processing.|
|Submit a complaint to CNPD (National Data Protection Commission)||Data subjects have the right to submit complaints to CNPD about matters related to the exercise of their rights and the protection of their personal data.|
You can make a request or exercise these rights by contacting KPMG by letter to headquarters address: Edifício FPM 41 – Avenida Fontes Pereira de Melo, 41 – 15º, 1069-006 Lisboa, or by e-mail at firstname.lastname@example.org and we will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.
8. What personal data do we share and transfer
KPMG may share and transfer personal data to third parties within its legitimate business activities.
8.1 Transfer within the network of KPMG firms
KPMG share information about you with other member firms of the KPMG network as part of international engagements, and with KPMG International and other member firms where required or desirable to meet our legal and regulatory obligations around the world. Other parts of the KPMG network are also used to provide services to us and you, for example hosting and supporting IT applications, provision of certain forms of insurance for member firms and its clients, performing client conflicts checks and Anti-Money Laundering checks, assisting with client engagement services and otherwise as required in order to continue to run KPMG’s business.
8.2 Transfers to third parties
We do not share personal information with third parties, except as necessary for our legitimate professional and business needs, to carry out your requests, and/or as required or permitted by law or professional standards. This includes:
|Service providers||KPMG transfer your personal information to our third party service providers, such as our (IT) systems providers, our hosting providers, our payroll providers, consultants (such as legal advisers) and other goods and services providers. KPMG works with such providers so they can process your personal information on our behalf. KPMG will only transfer personal information to them when they meet our strict standards on the processing of data and security. We only share personal information that allows them to provide their services.|
|Regulators and other public authorities||KPMG will disclose personal information in order to respond to requests of courts, tribunals, government or law enforcement agencies or where it is necessary or prudent to comply with applicable laws, court or tribunal orders or rules, or government or professional regulations, such as to CMVM (Portuguese Securities Market Commission), Banco de Portugal, Portuguese Tax Authorities (AGT), Ordem dos Revisores Oficiais de Contas (OROC).|
|Audits||Disclosures of personal information will also be needed for data privacy or security audits and/or to investigate or respond to a complaint or security threat.|
|Insurers||Our professional rules and our business requirements mean that we carry significant insurance cover in respect of business activities (our ‘insurance programme’). This is required to assist each member firm of the KPMG network in covering the costs associated with claims which may arise in the event that it is alleged that something has gone wrong during the course of providing services to its clients. In order to make the insurance programme work effectively, the insurance programme involves a number of different participants in the insurance market (e.g. brokers, insurers and reinsurers, as well as their professional advisors and other third parties involved should there be a claim). Some of these insurance market participants will require that we disclose personal information about you to them. The information will be used by the insurance market participants in the underwriting and ongoing administration of the insurance programme, where there is a claim that you are relevant to and to allow the insurance market participants to comply with their legal and regulatory obligations. Some of these insurance market participants will handle this information on our behalf (like our service providers described above), but others will want to process information about you independent of us.|
|If we are reorganized or sold to another organization||
KPMG will typically also disclose personal information in connection with the sale, assignment, or other transfer of any element of KPMG’s business to which the personal information relates.
Locations where KPMG Routinely Processes Personal Data
We can send, store or otherwise process your personal information in the following locations:
In addition, KPMG will transfer certain personal information outside of the EEA to outside companies working with us or on our behalf for the purposes described in this Privacy Statement. KPMG will also typically store personal information outside of the EEA.
KPMG shall not transfer any Personal Data to any country outside of the European Economic Area unless the transfer is made (i) to any country considered as a place giving an appropriate level of protection by the EU Commission, or (ii) subject to such other data transfer mechanism or protections as are approved and accepted by the Applicable Data Protection Legislation from time to time.
KPMG will not transfer the personal information you provide to any third parties for their own direct marketing use.
9. How we protect personal data
The protection of confidentiality and data integrity is (i) a legal and regulatory requirement, and (ii) one of the pillars for building trust between KPMG and its customers, employees, regulatory authorities and business partners.
KPMG has implemented appropriate organizational measures, processes and security systems to protect your personal data from unauthorized destruction, change and access, including: (i) access control mechanisms to information systems and data; (ii) specialised security systems (e.g. firewalls, antivirus, vulnerability management); (iii) mechanisms that record all actions carried out by employees and other users of information systems; (iv) data encryption, pseudonymization and anonymization mechanisms; (v) encrypting measures on equipment and mobile devices; (vi) physical security measures to protect facilities (e.g. physical access control, video surveillance); and (vii) a program to raise awareness and train KPMG professional and third parties in the context of information security and personal data protection.
In general, you are not required to submit any personal information to KPMG online, but we will require you to provide certain personal information in order for you to receive additional information about our services and events. KPMG will also ask for your permission for certain uses of your personal information, and you can agree to or decline those uses. If you opt-in for particular services or communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in each communication. If you decide to unsubscribe from a service or communication, we will try to remove your information promptly, although we will require additional information before we can process your request.
11. Links to other sites
By registering on any KPMG website and then navigating to another KPMG website while still logged in, you agree to the use of your personal information in accordance with the privacy statement of the KPMG website you are visiting.
12. Changes to the Privacy Statement
KPMG may modify this Privacy Statement from time to time to reflect our current privacy practices. When we make changes to this statement, we will revise the "updated" date at the top of this page. Any changes to the processing of personal data as described in this Privacy Statement affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.
13. Policy questions and enforcement
We will acknowledge your email within 14 days and seek to resolve your concern within one month of receipt. Where the concern is complex or we have a large volume of concerns, we will notify you that the concern will take longer than one month to resolve, and we will seek to resolve your concern within three months of the concern being first raised. We may accept your concern (and in that case implement one of the measures set out in the ‘What are your rights as data subjects’ section above), or we may reject your concern on legitimate grounds.
In any case, you always have the right to file a complaint with the National Data Protection Commission in Portugal.